`golang.org/x/tools/go/packages: unexpected new packages during load` when upgrading to 1.24.1
140 views
Skip to first unread message
Samuel Littley
Mar 7, 2025, 12:42:08 PMMar 7
to golang-nuts
I've been working on upgrading my company's code repository from 1.23.6 to 1.24.1, and have found that running gosec now fails with an error like panic: golang.org/x/tools/go/packages: unexpected new packages during load of <some module> (full output at the end of this message). The module which fails changes on different runs; sometimes it's a stdlib package, sometimes it's a third party module, sometimes it's a first party module. The error comes from here.
I rebuilt gosec with a doctored version of golang.org/x/tools to make it actually report which package is unexpected; it is always "internal/runtime/maps" which was only added in Go 1.24. This feels like at least the smoke from a smoking gun, but it's unclear why that package is unexpectedly getting loaded.
Unfortunately I haven't managed to produce a minimal reproduction, as I don't know what causes that module to be loaded (and what we're currently applying gosec too has a huge amount of dependencies).
We're using Please as our build system, which means we're using its package driver to actually locate all the modules. There is actually a test which runs gosec, but this seems to be working fine after upgrading that repository to 1.24.1 (although that test is loading significantly less code than where gosec is failing on our internal repository).
I would appreciate some advice from an expert on either golang.org/x/tools/go/packages or internal/runtime/maps
Full gosec output:
[gosec] 2025/03/07 12:38:16 Including rules: default
[gosec] 2025/03/07 12:38:16 Excluding rules: default
[gosec] 2025/03/07 12:38:16 Including analyzers: default
[gosec] 2025/03/07 12:38:16 Excluding analyzers: default
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
2025/03/07 12:38:16 golang.org/x/tools/go/packages: unexpected new packages during load of github.com/prometheus/client_golang/prometheus
panic: golang.org/x/tools/go/packages: unexpected new packages during load of github.com/prometheus/client_golang/prometheus
goroutine 282 [running]:
log.Panicf({0xfd8f44?, 0x2?}, {0xc000b53b30?, 0x1b?, 0xc000f75020?})
/opt/tm/tools/go/1.24.1-20250305/usr/go/src/log/log.go:439 +0x65
golang.org/x/tools/go/packages.(*loader).loadFromExportData(0xc000394000, 0xc0019fdcc0)
/home/slittley/third_party/tools/go/packages/packages.go:1553 +0x97e
golang.org/x/tools/go/packages.(*loader).loadPackage(0xc000394000, 0xc0019fdcc0)
/home/slittley/third_party/tools/go/packages/packages.go:1084 +0x4f1
golang.org/x/tools/go/packages.(*loader).refine.func2.1()
/home/slittley/third_party/tools/go/packages/packages.go:954 +0x2d
golang.org/x/sync/errgroup.(*Group).Go.func1()
/home/slittley/go/pkg/mod/golang.org/x/sy...@v0.12.0/errgroup/errgroup.go:78 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 280
/home/slittley/go/pkg/mod/golang.org/x/sy...@v0.12.0/errgroup/errgroup.go:75 +0x93
[gosec] 2025/03/07 12:38:16 Excluding rules: default
[gosec] 2025/03/07 12:38:16 Including analyzers: default
[gosec] 2025/03/07 12:38:16 Excluding analyzers: default
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
[gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED]
2025/03/07 12:38:16 golang.org/x/tools/go/packages: unexpected new packages during load of github.com/prometheus/client_golang/prometheus
panic: golang.org/x/tools/go/packages: unexpected new packages during load of github.com/prometheus/client_golang/prometheus
goroutine 282 [running]:
log.Panicf({0xfd8f44?, 0x2?}, {0xc000b53b30?, 0x1b?, 0xc000f75020?})
/opt/tm/tools/go/1.24.1-20250305/usr/go/src/log/log.go:439 +0x65
golang.org/x/tools/go/packages.(*loader).loadFromExportData(0xc000394000, 0xc0019fdcc0)
/home/slittley/third_party/tools/go/packages/packages.go:1553 +0x97e
golang.org/x/tools/go/packages.(*loader).loadPackage(0xc000394000, 0xc0019fdcc0)
/home/slittley/third_party/tools/go/packages/packages.go:1084 +0x4f1
golang.org/x/tools/go/packages.(*loader).refine.func2.1()
/home/slittley/third_party/tools/go/packages/packages.go:954 +0x2d
golang.org/x/sync/errgroup.(*Group).Go.func1()
/home/slittley/go/pkg/mod/golang.org/x/sy...@v0.12.0/errgroup/errgroup.go:78 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 280
/home/slittley/go/pkg/mod/golang.org/x/sy...@v0.12.0/errgroup/errgroup.go:75 +0x93
Thought Machine Group Limited, a company registered in England & Wales.
Registered number: 11114277.
Registered Office: 5 New Street Square, London EC4A 3TW.
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
Jim Idle
Mar 7, 2025, 1:11:11 PMMar 7
to Samuel Littley, golang-nuts
It look like gosec can be told what version of Go it inspecting. The error sounds like it is saying that this package is not known to it, which would make sense if somewhere you have told it it is inspecting 1.23.6 as then this would be an unexpected package in that version of Go.
Have you updated goes and made sure that it is either getting the correct version of Go from your go.mod files or that you have not overridden that with the environment variable that does so?
Jim
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/27160045-f8a8-4191-81ac-040a9264ce01n%40googlegroups.com.
Samuel Littley
Mar 10, 2025, 6:35:48 AMMar 10
to Jim Idle, golang-nuts
Thanks for the tip Jim. I made sure all the relevant go.mod files referenced version 1.24.1, tried setting the GOSECGOVERSION variable, and made sure there were no other suspicious-looking env variables in the build environment, but no luck :( it looks like gosec's version helper is only actually used in a couple of rules, and I don't think it's getting as far as running rules before it hits these errors.
Reply all
Reply to author
Forward
0 new messages